>Tony Finch has correctly identified in SHA-1 chosen prefix collisions >and DNSSEC [3] article that when a single record is usually safe, >multiple records might allow creating fake signature even in DNSSEC.
There are two types of attacks on hash functions: collisions and second pre-image attacks. There is no practical 2nd pre-image attack for SHA-1, so we can concentrate on collision attacks. A collision attack requires that the victim to accepts malcious data from an attacker There are many, proably even the majority of DNSSEC signed domains, where this is not an issue. Attackers cannot influence the contents of a zone. In those cases, using SHA-1 is secure. Obviously we need to move away from SHA-1 as fast as possible. But we do those domains a disservice if we treat them as insecure. In particular, DANE will stop working if a domain is considered insecure. We already see the operational impact. People with RedHat systems notice that DANE suddenly stops working. They have no clue where is coming from, they just see that unbound doesn't set the AD bit. The solution should be that RedHat provides a way to link with a different crypto library that does support RSASHA1. _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
